Title: Are dl501 flashes RSA signed? Post by: fastboatster on August 09, 2020, 05:02:44 PM Was looking at DL501 fr the other day specifically looking for the flash memory and eeprom protection and didn't see that flash area rsa protected, all I could see that there are some errors thrown when the checksums for some areas are not correct. Am I missing something and being overly optimistic here or there's no RSA protection, only checksum verification of certain flash areas? I think I saw that some early dq250s only had checksums and no RSA verification.
P.S. got the dq250 part slightly wrong, per one thread: "DQ250 Exx/Fxx don't have checksums active on the data area" So not even calibration area checksum verification in some dq250s. Still, need to figure out if dl501 has an RSA protected flash. Title: Re: Are dl501 flashes RSA signed? Post by: prj on August 09, 2020, 11:58:57 PM No RSA
Title: Re: Are dl501 flashes RSA signed? Post by: fastboatster on August 10, 2020, 11:53:46 AM great, thanks! I can see crc32 table in one vr file I have, the bad part is that that been might not be for transmission. Another noobish question I got is what to use to read the data from the dsg connector. Given current situation, pcm flash is months away as well as cheap chinese clones and all the brand-name tools are ludicrously expensive. I'm thinking of making my own dsg adapter, however, the question stand on how to read the flash using it. got to know seed and key algo for this trans(might locate in the bin I got?)
Title: Re: Are dl501 flashes RSA signed? Post by: SB_GLI on August 10, 2020, 05:12:19 PM I can help if you need to write the dl501 via obd.
Title: Re: Are dl501 flashes RSA signed? Post by: fastboatster on August 10, 2020, 05:49:33 PM I can help if you need to write the dl501 via obd. that'd be very much appreciated! I don't yet know what to write, though. I have recently updated my software from 8K1927156C 0002 to 8K1927156AD 0006 to be able to do main pressure and clutch valve calibration and just make the trans work smoother. I'm currently looking at some VR of very old software (8K0927156H) for 2011 S5 which might not work with my 2010 plus it's also one of the software versions Audi decided sunset and supersede with 8K1927156AC. My plan was to figure out how to read the 8K1927156AD from my trans and try to modify it. As of know, I'm looking at the VR I have and trying to identify which areas are covered by crc32 calc. I was able to quickly identify crc32 table using binwalk and there seems to be one function addressing that area directly. It is called by only 4 functions, so hopefully I won't have to peel that onion for too long.Title: Re: Are dl501 flashes RSA signed? Post by: fastboatster on August 16, 2020, 06:23:04 PM Another noobish question - is there a way to find the locations of checksums and locations they correspond to? Interested in this in general and for dl501 specifically. I have found a crc32 calculation function and polynomial table in the binary using Ghidra, however, I couldn't find the exact table locatons looking at 4 functions calling crc32 routine directly. Wonder if checksum tables should have some characteristics which can make finding them possible just by looking at the binary
|